Organization responsibilities for protecting personal information

Under PIPA, organizations must take reasonable measures to protect the personal information they hold.

Overview

Holding personal information is a responsibility, and under the Personal Information Protection Act (PIPA) organizations must take reasonable measures to protect personal information and personal employee information.

Reasonable security measures

Organizations must develop policies and practices including those that protect personal information. These policies should be available in writing for an organization to provide to individuals, if requested. They should include information about how the organization handles and protects information in its care. For example:

physical security, such as locked doors and alarms

technological security, such as password protection and encryption on computers and mobile devices

administrative security, such as confidentiality agreements and terms of use for information technology

Limiting the amount of personal information your organization collects in the first place makes security arrangements easier. Security should be appropriate to the level of sensitivity of the information.

PIPA violations

Organizations cannot take action against employees who refuse to act in violation of PIPA or who report an alleged violation of PIPA.

If a person fails to comply with PIPA or deliberately contravenes it, there are offences and penalties:

in the case of an individual, to a fine of not more than $10,000

in the case of a person other than an individual, to a fine of not more than $100,000

The term ‘individual’ applies when the entity appears as a living, breathing human being. The term “person” is applicable when it appears as an entity that is a legal person. This includes individuals and corporations, and any other entities with personhood.

Using a service provider outside Canada

If an organization uses a service provider outside of Canada for the collection, use, or disclosure of personal information, your policies and practices must include:

the country where this is occurring or may occur

the purpose(s) for which the service provider is authorized to collect, use, or disclose the information

When an organization uses a service provider outside Canada to collect personal information, or transfers personal information directly or indirectly to a service provider outside Canada, the organization must notify the individual in writing or orally:

how they can obtain access to policies and practices with respect to the service provider

the name, position name or title of a person who is able to answer questions on behalf of the organization with respect to the service provider

Mandatory privacy breach reporting

The Office of the Information and Privacy Commissioner (OIPC) has many resources to assist an organization in determining what to do when there is an actual, suspected or alleged breach and also to understand how risk is assessed.

If an actual privacy breach occurs and a reasonable person would consider the breach to pose a real risk of significant harm to individual(s), the organization must notify the OIPC. Reporting a breach to the OIPC is necessary even if only one individual is at risk.

A breach report to the OIPC must be in writing and include the following:

circumstances of the breach

date or time period when incident occurred

personal information involved

risk assessment of harm to individuals as a result

estimated number of individuals’ impacted

steps taken to reduce risk of harm

steps taken to notify impacted individuals

a contact person

The OIPC may require the organization to notify individuals. When notifying individuals, organizations need to provide the following directly to the individual:

circumstances of the breach

date or time period when incident occurred

personal information involved

steps taken to reduce risk of harm

a contact person

Accuracy, retention and destruction

Organizations need to keep personal information as accurate as is reasonable depending upon the purpose for which it is collected, used or disclosed. For example, if information is likely to be outdated, an organization should take steps to ensure it is still valid.

Organizations must keep personal information only for as long as it is reasonable to carry out business or legal purposes. After it is no longer needed for those purposes, personal information should either be securely destroyed or made anonymous.

Disclaimer

All persons reviewing Service Alberta’s Personal Information Protection Act site are reminded that it has no legislative sanction, and has been provided for guidance and convenience of reference only. The official Statutes and Regulations should be consulted for all purposes of interpreting and applying the law.